| Category | Details |
|---|---|
| Threat Actors | Sandworm (linked to Russian military intelligence, GRU), UAC-0125, APT44 |
| Campaign Overview | Espionage campaign targeting Ukrainian soldiers with fraudulent websites mimicking the Army+ app to deliver malware. Attack involves data exfiltration and system compromise. |
| Target Regions (Victims) | Ukraine, Ukrainian military personnel |
| Methodology | Creation of fake websites, delivering malware through an executable disguised as an app installer, using Cloudflare Workers to host malicious sites. |
| Product Targeted | Ukrainian military app Army+, messaging apps used by Ukrainian armed forces (e.g., Telegram, Signal), devices captured on the battlefield |
| Malware Reference | NSIS-based installer, malicious program grants hidden access, exfiltrates data over Tor network |
| Tools Used | NSIS (Nullsoft Scriptable Install System), Tor network, Cloudflare Workers |
| Vulnerabilities Exploited | Exploitation of legitimate services (Cloudflare Workers) for hosting fraudulent sites. |
| TTPs | Phishing (fake websites), malware delivery disguised as legitimate app, data exfiltration via Tor, leveraging legitimate services for obfuscation |
| Attribution | Highly likely linked to Sandworm (APT44), a Russian state-sponsored threat actor, possibly associated with GRU. |
| Recommendations | Enhanced awareness and detection for phishing attacks, secure app development, and greater scrutiny of apps used by military personnel. |
| Source | The Record |
Read full article: https://therecord.media/ukraine-military-app-espionage-russia-sandworm
The above summary has been generated by an AI language model
Related posts:
T-Mobile Breached in Major Chinese Cyber-Attack on Telecoms
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Threat Actor Abuses Gophish to Deliver New PowerRAT and DCRAT
T-Mobile rebuffed breach attempts by hackers likely connected to China’s Salt Typhoon
Leave a Reply